[Snyk] Fix for 14 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • deps/npm/package.json
  • deps/npm/.snyk

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	619/1000 Why? Has a fix available, CVSS 8.1	Prototype Pollution SNYK-JS-AJV-584908	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HOSTEDGITINFO-1088355	No	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SSRI-1246392	Yes	Proof of Concept
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536528	No	No Known Exploit
	624/1000 Why? Has a fix available, CVSS 8.2	Arbitrary File Overwrite SNYK-JS-TAR-1536531	No	No Known Exploit
	410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	No	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579147	No	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579152	No	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579155	No	No Known Exploit
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-YARGSPARSER-560381	Yes	Proof of Concept
	434/1000 Why? Has a fix available, CVSS 4.4	Time of Check Time of Use (TOCTOU) npm:chownr:20180731	No	No Known Exploit
	469/1000 Why? Has a fix available, CVSS 5.1	Denial of Service (DoS) npm:mem:20180117	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: ansi-regex

The new version differs by 18 commits.

• a9babce 5.0.1
• 4657833 fix incorrect format
• c3c0b3f Fix potential ReDoS (logo ideas nodejs/node#37)
• 178363b Move to GitHub Actions (net: give better error messages nodejs/node#35)
• 0755e66 Add @ Qix- to funding.yml
• 2b56fb0 5.0.0
• f26f7fe Meta tweaks
• e77ea17 Add TypeScript definition (docs: replace all instances of node.js with io.js because trademark. nodejs/node#32)
• 166a0d5 Require Node.js 8
• f115fca Tidelift tasks
• a079ab2 4.1.0
• 96200bb Support more escape types like links (docs: added a the nodejs/node#29)
• e076cd1 Add Tidelift mention in the readme
• a1d9246 4.0.0
• ced7421 Require Node.js 6
• eac826a Add option to only match the first occurrence (Simple project messaging. nodejs/node#24)
• 385eca9 Add scroll escapes (Confirmation around contributing nodejs/node#20)
• 14839a4 Add failing test for add issue contributing section nodejs/node#21 (Adding Governance, Contribution Policy, and CoC nodejs/node#22)

See the full diff

Package name: cacache

The new version differs by 9 commits.

• 41e12c1 chore(release): 11.0.1
• 208b7bd deps: bump ssri
• aa59d82 chore(release): 11.0.0
• 33d4eed feat(opts): use figgy-pudding for opts (unable to deal with file names that have invalid encoding nodejs/node#128)
• 529f347 meta: drop support for node@4
• 4446327 test: use nyc through tap
• 109ff93 standard: --fix for standard@11
• 3817b7a deps: bump devDeps
• a7d25b4 deps: bump deps

See the full diff

Package name: chownr

The new version differs by 9 commits.

• 76c21fa 1.1.0
• e8f0dc7 auto-publish scripts
• b196e0e add tests for old readdir support
• e06dd8a Avoid unnecessary stats on node v10.10 and above
• 36a93e3 use lchown to address part 1 of TOCTOU issue
• a631d84 use lchown instead of chown, if available
• cdd4ce7 use modern JavaScript
• d548650 update tap
• 924de1e update travis

See the full diff

Package name: hosted-git-info

The new version differs by 61 commits.

• 8d4b369 chore(release): 2.8.9
• 29adfe5 fix: backport regex fix from doc: fixes grammar nodejs/node#76
• afeaefd chore(release): 2.8.8
• 5038b18 fix: My contribution to this logo throw in. nodejs/node#61 & stream.read(0) should not trigger the end event if there is no underlying data nodejs/node#65 addressing issues w/ url.URL implmentation which regressed node 6 support
• 7440afa chore(release): 2.8.7
• 2d0bb66 fix: Do not attempt to use url.URL when unavailable
• f2cdfcf fix: Do not pass scp-style URLs to the WhatWG url.URL
• e1b83df chore(release): 2.8.6
• ff259a6 Ensure passwords in hosted Git URLs are correctly escaped
• 624fd6f chore(release): 2.8.5
• e8325b5 fix: updated pathmatch for gitlab
• 4e4ea0f test: added script to get coverage report
• 4eb69eb test: removed unused testing structure
• ba44d9f test: moved all github url tests together
• 8d24551 test: added refactered tests for bitbucket
• 1fd9d66 test: added ignore; for 100% testing (this seems wonky)
• 921e6dd test: added basic test for ._fill() method
• ffe056f fix: updated pathmatch for gitlab
• 53364f9 test: added refactered tests for gists
• 888f9b4 test: added default fixtures and github specific fixtures
• 3d1ad71 chore(release): 2.8.4
• 2070453 chore: add npm dist-tag for legacy publishes
• f392f82 use var instead of let/const for ancient nodes
• cbf63b7 chore(release): 2.8.3

See the full diff

Package name: libnpx

The new version differs by 41 commits.

• 84eeb54 chore(release): 10.2.4
• 7a03da5 test: patch child.js test
• 122ed5c deps: update yargs
• fa6a282 chore(release): 10.2.3
• 7d90a71 chore: update project settings, remove weall* stuff
• 26a8394 chore(release): 10.2.2
• e0eb3cb fix: install latest npm on travis for node 6
• e8b4a7e chore: put node 6 back in travis set
• 9a23db1 fix: correct Kat's github url
• 3733137 fix: Update changelog to fix old issue links
• 3192e0f v10.2.1
• 40df81c fix: point repo at proper git remote
• 43d68c8 fix: spurious test failure
• f51a8d3 travis: only test on supported node versions
• b7c8b9f fix(platform): drop node 4 and 7, add 9 and 10
• cf6437c chore(release): 10.2.0
• 3d87e8f standard: resolve linting nits. (debugger: improve clearBreakpoint error and docs nodejs/node#175)
• cba97bb fix(spawn): spawn child processes with node without relying on the shebang. (lib,src: remove post-gc event infrastructure nodejs/node#174)
• 11d9fe0 fix(i18n): fix korean; 쉘 -> 셸 (io.js TC Meeting 2014-12-17 nodejs/node#163)
• 5da008b feat(i18n): add translation (Added DS_Store to gitignore nodejs/node#159)
• 6df03a3 meta: add engines field (fs: deprecate exists() and existsSync() nodejs/node#166)
• fe0d48a fix(windows): Allow spaces in the node path when using --node-arg (Support promises in the fs module nodejs/node#173)
• 13fea31 chore(release): 10.1.1
• bfaaaa6 chore(release): 10.1.0

See the full diff

Package name: npm-lifecycle

The new version differs by 12 commits.

• cf5f5ca chore(release): 2.1.1
• dbbfe27 deps: bump deps to fix security advisories
• e96f550 deps: update node-gyp to v4.0.0
• f6cef1c chore: update CI for current Node LTS
• c137ac7 deps: bump devDeps
• 62c07d3 deps: bump deps
• 220cd70 fix(test): update postinstall script for fixture
• d7a014f chore(release): 2.1.0
• 9169ec6 deps: bump devDeps
• dfa3ebd deps: bump deps
• e206aa0 feat(ci): add node@10 to CI
• 8fcaa21 fix(windows): revert writing all possible cases of PATH variables (Adding Governance, Contribution Policy, and CoC nodejs/node#22)

See the full diff

Package name: pacote

The new version differs by 6 commits.

• 118157c chore(release): 8.0.0
• d94abdb deps: bump devDeps
• 6737bf6 deps: bump deps
• 4af129e meta: bump pkglock to npm@6 version
• 11478ff meta: drop support for node@4
• 85b269b fix(git): make full clones do a full mirror

See the full diff

Package name: request

The new version differs by 41 commits.

• 6420240 2.88.0
• bd22e21 fix: massive dependency upgrade, fixes all production vulnerabilities
• 925849a Merge pull request Looks like readline don't always triggers keypress events on Windows nodejs/node#2996 from kwonoj/fix-uuid
• 7b68551 fix(uuid): import versioned uuid
• 5797963 Merge pull request Need a way to detect end of stream on custom Writable Streams implementing _write nodejs/node#2994 from dlecocq/oauth-sign-0.9.0
• 628ff5e Update to oauth-sign 0.9.0
• 10987ef Merge pull request tools: Added .editorconfig file for basic encoding/indentation enforcement nodejs/node#2993 from simov/fix-header-tests
• cd848af These are not going to fail if there is a server listening on those ports
• a92e138 src: fixed a small inconsistency between a check and error nodejs/node#515, All my processors jump to 100% when compiling nodejs/node#2894 Strip port suffix from Host header if the protocol is known. (net: type check createServer options object nodejs/node#2904)
• 45ffc4b Improve AWS SigV4 support. (Crash when working with node-ffi on Windows and Mac nodejs/node#2791)
• a121270 Merge pull request V8 Changes - HasIndexedPropertiesInExternalArrayData, GetIndexedPropertiesExternalArrayDataLength, GetIndexedPropertiesExternalArrayData no longer available - what to use instead? nodejs/node#2977 from simov/update-cert
• bd16414 Update test certificates
• 536f0e7 2.87.1
• 02fc5b1 Update changelog
• de1ed5a 2.87.0
• a6741d4 Replace hawk dependency with a local implemenation (Release Proposal: v4.1.1 nodejs/node#2943)
• a7f0a36 2.86.1
• 8f2fd4d Update changelog
• 386c7d8 2.86.0
• 76a6e5b Merge pull request Linux node version 0.10.12 does not contain .configure or make files nodejs/node#2885 from ChALkeR/patch-1
• db76838 Merge branch 'patch-1' of github.com:ChALkeR/request
• fb7aeb3 Merge pull request Cannot override arm_fpu config nodejs/node#2942 from simov/fix-tests
• e47ce95 Add Node v10 build target explicitly
• 0c5db42 Skip status code 105 on Node > v10

See the full diff

Package name: strip-ansi

The new version differs by 15 commits.

• 59533da 6.0.0
• 976f459 Require Node.js 8
• 57878e2 Tidelift tasks
• a022f23 Tidelift tasks
• b9c4929 5.2.0
• 81cd3cc Meta tweaks
• 89dc7f6 Add TypeScript definition (Initial Release nodejs/node#28)
• 5cb7e20 Fix readme (Community contrib direction nodejs/node#27)
• 581fd4e 5.1.0
• 41b0a8b Add support for terminal link (GitHub issue management nodejs/node#26)
• 841f0c4 Add security section
• dfab677 5.0.0
• 6a25566 Require Node.js 6 and upgrade dependencies
• e8d149c Add Tidelift mention in the readme
• 52dcf65 Add related streaming version of this module to the readme (domain: add arguments for the function in domain.run() nodejs/node#15)

See the full diff

Package name: update-notifier

The new version differs by 31 commits.

• adf7803 4.0.0
• fb5161c Remove the `callback` option (RFC: bundle tick processor with iojs nodejs/node#158)
• 39682de Rename `boxenOpts` option to `boxenOptions`
• bc1721a Avoid showing notification if current version is the latest (lib,src: remove post-gc event infrastructure nodejs/node#174)
• ccaf686 Update dependencies
• b1525e6 Disable when `NODE_ENV` is `test` (Support promises in the fs module nodejs/node#173)
• bf73119 Fix install command for npm global (lib: fix guard expression in timer.unref() nodejs/node#165)
• 592b025 3.0.1
• f8b4e60 Update Travis matrix
• a6d6b49 Update URL to TTY (io.js TC Meeting 2014-12-17 nodejs/node#163)
• f9d168a Remove object spread to support node >=8.0.0 <8.6.0 (Implement Blob and FileReader nodejs/node#164)
• 1712928 Tidelift tasks
• 72f83d1 Create funding.yml
• a7bb3ee 3.0.0
• ad8ed1b Suggest yarn when installed with yarn (benchmark: pre-optimize url.parse() before start nodejs/node#132)
• 5f06620 Exit the update check process if it does not respond after 30s (build: remove support for VS 2010 and 2012 nodejs/node#156)
• 79e89ad Fix failing test (docs: changed example in streams for write() after end() nodejs/node#155)
• c8faa84 Add `distTag` option (Clarify that “io.js” is the only correct name nodejs/node#151)
• 14632e4 Add failing test for [stream] - callback based API additions nodejs/node#153 (src: fix addon loader regression nodejs/node#154)
• aafd8a0 Require Node.js 8
• 0d49f51 Add Tidelift mention in the readme
• 8df01b3 Fix docs position of `shouldNotifyInNpmScript` (doc: cherry-pick tc-minutes from master nodejs/node#143)
• d371834 Docs: isGlobal option does not default to true (docs: Supplement docs for Writable and Transform streams nodejs/node#142)
• 5cd6577 2.5.0

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic